The Segment podcast hero


Join us for the most important Zero Trust conversations happening in cyber today. Listen and subscribe anywhere you get your podcasts.
Dr. Chase Cunningham
Practicing Zero Trust and Adopting Assume Breach

In this episode, host Raghu Nandakumara sits down with Chase Cunningham, former Forrester analyst and “Dr. Zero Trust,” to discuss the evolution of the Zero Trust framework and what organizations get wrong when mapping out their Zero Trust strategies. 


0:00:04.1 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today, I'm joined by Dr. Chase Cunningham, also known as Dr. Zero Trust, Chief Strategy Officer at Ericom Software and former Forrester analyst. Prior to his role at Ericom, Chase was VP and principal analyst at Forrester Research where he focused on security operations center planning, counter threat operations, encryption, network security, and Zero Trust concept and implementation. Over the years, Chase has also held various threat research and intelligence roles with organizations like Armour, Accenture, and the National Security Agency. Today, Chase is joining us to talk about the evolution of the Zero Trust framework, how to get Zero Trust right, and what organizations get wrong when mapping out their Zero Trust strategies. Everyone loves a good origin story, right? So let's hear the Dr. Zero Trust origin story.

0:01:09.1 Chase Cunningham: I tell people, and I'm not joking, I'm super lucky to have had any success in life or in cyber at all, just because it's a constant bumbling into luck and having good people around me. I joined the Navy as a diesel mechanic. I had nothing at all to do with computers, whatever. The way that I got into cyber was totally by accident. 

0:01:31.1 Raghu Nandakumara: Nice, nice. So this is the Zero Trust podcast; we're going to end up talking about Zero Trust. What was your exposure to Zero Trust – was that directly related to what you got up to at Forrester or were you exposed to this prior to that as well?

0:01:48.5 Chase Cunningham: After I did all my cyber and crypto stuff in the military and then I went to do stuff for the government, I actually taught and wrote curriculum for computer network exploitation which was the government's way of billing for really expensive stuff when you're doing red teaming. So I did red teaming in the government space for quite a while, and when I was talking with John Kindervag, who I had known when he was still at Forrester, he was talking about the ZT thing and at the time I was like, okay, sure, whatever it sounds like marketing shenanigans 101, cool, blah, blah. And then I came to Forrester and I was actually, I would say, pissed off that they said, “Hey, you're going to pick up John's dirty underwear and do this ZT thing.” But when I started looking at it from the perspective of “if I was a bad guy or a red teamer, would these concepts cause me to quit and go find another target?” And they would. All of a sudden the light bulb went on, and I was like, “Okay, John was on to something.” So I just went at it. But I did seriously argue with my boss, Joseph Blankenship, and other people at Forrester: “Please don't make me do something someone else has already done because I don't want to be second fiddle in whatever.” But it turned out to be a good use of my time.

0:03:01.9 Raghu Nandakumara: Yeah, absolutely. And I would say as a practitioner, I'd say that John Kindervag sort of laid the foundations for the modern definition of Zero Trust. I would say that you more than probably anyone else did most to really take that mainstream. So how do you now feel that this baby that you nurtured is finally starting to walk on its two feet?

0:03:30.3 Chase Cunningham: To stumble along.

0:03:31.9 Raghu Nandakumara: I wouldn't say snowball yet but at least walk on its two feet.

0:03:35.5 Chase Cunningham: It's good that there are folks that see that there's value to a strategy that makes sense. I'm sick and tired of hearing people complain about the buzzword and whatever else and all the “hater-ade” that comes along with it. I'm working on a blog right now about if you don't buy what we're selling and you don't think this makes sense, please continue being stupid in doing what you're doing, and you're going be the one that's the slow gazelle. Go ahead! I am to the point now that if there's this massive market moving and all this adoption and I'm... I had calls yesterday with people in Argentina, I'm going to speak in Columbia next month on ZT. If the whole world thinks this is a real thing and you, the haters, don't, fine. Be a hater, and let me know when you get your ass handed to you and then come talk to me about ZT.

0:04:26.7 Raghu Nandakumara: So yeah, I'm in agreement. Otherwise, we wouldn't be doing this. And you look around and you say, “Okay, what was the tipping point?” Because there was enough in terms of the actual premise behind why Zero Trust. It's common sense. But it's taken forever for people to almost reach that level of common sense. What was the tipping point in your opinion?

0:04:56.5 Chase Cunningham: I think COVID was the gas on the fire that was needed because there was such a move to figure out really quickly how to keep businesses up and running. And then how to also not just open the door writ large and go, “I hope we don't get pwned to the nth degree.” Enough people had an opportunity, a crisis, an opportunity, a “crisistunity” to step back and go, “Okay, we can do something different, and here's how we can do something that makes a little bit more sense.” Because, obviously, we had proof that the other model didn't work, and now with remote and all the other things that we're seeing – and I think I read a paper this morning about how hybrid is kind of been accepted now as the way that work is going to look like – maybe not everybody has to be in the office. That reality requires us to have that sort of approach, and ZT just happened to be in the right place at the right time with technology that evolved to enable that thing.

0:06:03.2 Raghu Nandakumara: Yeah, absolutely. And do you think that it was not just COVID and the move to hybrid work, etc., but do you think it was also a greater realization of what that threat landscape now looked like? I know you talk about how ZT almost equates to “assume breach” or actually vice versa. “Assume breach” is the fundamental on which ZT is then the answer.

0:6:34.4 Chase Cunningham: Yeah, I mean, it's funny because that used to be such a sticking point for people, to accept that you already have a compromise. “Oh no, no, that's not a thing, we're not compromised, and we have millions of dollars into this.” And it's like, “Oh, I mean, okay. Let me write this down because you'll be pinging me in six months.” And that’s not a knock on a person or something, it's just the reality of the space. So accept it, and then align your resources around it to work your way past that problem. It doesn't have to be a negative really, if you think about it differently. And the other “hater-ade” that's all over the place right now is, “this is not new.” That's correct. This is an evolution and a maturation of something that makes a lot of sense, and it's made sense for a long time. Like you said, people just ignored it because people are, I don't know, people. We suck in general.

0:7:33.9 Raghu Nandakumara: It was on your LinkedIn or Twitter recently where I think you put something up along the lines of there is no patch for human stupidity or something along those lines. Sorry to misquote you if I did. I know our listeners are going to be experienced security professionals, and they'll have heard "assume breach” and they'll have heard of Zero Trust. Why is Zero Trust the natural answer to "assume breach”? If the question is "assume breach,” why does Zero Trust have to be the answer?

0:8:10.8 Chase Cunningham: So let's flip the script for a second and say we're not worried about defense. Let's just say we accept that there's a compromise. Okay, done. Now, what do we not really want to have happen? I want them not to be able to stay in my network or my environment. I want them not to be able to move around. If someone breaks into my house, that's a problem, but I don't want you moving in and living with me. So, let's be real about that. If we accept that that's what we're trying to do, what does the bad guy need to succeed in that manner? They need trust relationships from within systems. And John [Kindervag] says it all the time: Trust is a human emotion; we've built it into computers. If you remove the trusted relationships, it's not that there's going to be “zero trust.” It's that they're going to have manageable risk based on trust relationships, and that makes the bad guy's day really hard. That's what we want. You're not going to never have a breach; you're not going to never have a compromise. And, I agree with folks, they'll say, “Well, there's no such thing as Zero Trust.” Correct. Just like there's no such thing as zero body fat because you'd die, but you try to get really low.

0:9:24.2 Raghu Nandakumara: Yeah, 100%. And I think the sort of something that you said just there is about making life difficult for the attacker. I think we're getting better at that approach, but still, I think too often we don't approach building security controls from that perspective. It's just so natural. Make it difficult for them; they'll go somewhere else.

0:9:52.5 Chase Cunningham: It's people trying to defend their position at the company in the wrong way. I mean, you’ve got CISOs now which have got their seat at the table, and great, that's super awesome. But the reality of it is they're typically trying to justify their position at a company and telling folks that they're going to be perfectly defended or whatever else. Instead of that real conversation about like, “Look, what I'm doing is going to exponentially reduce our risk, and that's going to make this more manageable, and we can keep uptime going and whatever else.” I have yet to run into a single workshop with a client that has been about the technology piece of ZT. It has 100% been about the leadership issues that you faced there.

0:10:32.9 Raghu Nandakumara: Yeah, exactly right. Some blogs I was reading last week around how adopting a Zero Trust strategy is so much about that cross-functional buy-in. Way more than just being a security program for the security organization. So, for organizations that are adopting Zero Trust, would you say there is anything where organizations are doing Zero Trust wrong? Or would you say that anyone who's doing Zero Trust should be credited?

0:11:07.3 Chase Cunningham: No, I think there's a way to do it wrong. If you're not understanding where you're starting, you're not having a very real conversation about the things that are most important and working your way outward from there, like we've talked about for a long time, then you're missing the forest for the trees. Personally, my methodology is that the first thing we're going to do is, maybe it's not a real-world red team, but I'm going to throw a scenario at you and then I'm going to sit there and watch and see what happens. Because until you've been through the stress of that situation and you've actually had your feet to the fire, it's all pontification. You know what I mean? If the reality of security is to make us survive past a breach, which is one of those “oh my god” moments, then we need to react based on what will actually occur. And I've had so many companies that have said, “We're ready!” and I go in and drop the situation folder in front of them, and then you watch the heads roll, the arguments happen, the people running out of the doors, and it's like, this is where we begin. This problem is solvable. This is a management leadership issue. Technology, that's gravy, baby. That comes later.

0:12:15.4 Raghu Nandakumara: Yeah, 100%. So how does an organization do this right? What is the playbook that they need to adopt to do Zero Trust, adopt a Zero Trust strategy, be successful with it, be able to measure it? Let's unpack that.

0:12:31.3 Chase Cunningham: Well, I think the first thing is to put your feet to the fire and understand from not just the security team's perspective, but all the way up and down as much of the food chain you can get involved. What would actually go bonkers when something does occur? That way, you've at least experienced the misery that will come. So that's an organizational piece. The second thing I think that is critical is having a really good understanding of the totality of assets that's touching that enterprise, that network, whatever, because I can't defend what I don't know about. And then mapping your controls based around those gaps that you see. If you think about it from the perspective of the general on the top of the battlefield I can look out across everything. If I can do that, I can vector resources to plug the gaps. I don't want to be underground and then looking up and going, “Geez, I really hope I'm putting the right things in the right place on this battlefield.”

0:13:25.3 Raghu Nandakumara: And for organizations that start this journey, where do they commonly come unstuck?

0:13:33.4 Chase Cunningham: Usually they go too big, too fast. I was working with a bank, a large one, and they said, “Well, we're going to do ZT for users.” I was like, “Cool, super great. I think that's positive.” And they said, “We're going to roll it out and we're going to start with 5000.” And I was like, “Whoa, whoa, that's not small.” And they said, “Oh, well we're a global bank.” I was like, “That's not small” And they said, “Okay, well what number should we start with?” And I said, "Five.” And they were like, "Five? That's not even worth our time.” And I said, “Well, if I breached five people at your company, would that wreck your shop? Then if you get it right for five, you do it for 10, and if you get it for 10, you do it for 50. And then you roll, you sharpen the blade based on grinding it against the metal rather than coming in swinging and think you got it right.”

0:14:23.2 Raghu Nandakumara: But how do you pick the five? Did you say, “right, pick these specific five that meet these profiles,” or was it, “alright, let's start small.”

0:14:33.5 Chase Cunningham: Right. If you're going to pick those five individuals, who's got the most admin access in a system, those five, those are the people I want to focus on first. And if they come back and go, “Well, one of them is the CEO.” Okay, well we have a real issue there. Why the hell does the CEO have admin access to things.

0:14:50.0 Raghu Nandakumara: So like, there'll be folks listening in here and thinking, "What are those little pearls of wisdom that Dr. Zero Trust is going to shower us with, because I'm struggling with this Zero Trust strategy.” What would that be at this moment, based on what you've been seeing happen? What's like, here's my pearls of wisdom.

0:15:13.5 Chase Cunningham: I think the biggest thing is treat cybersecurity just like you treat the other pieces of your business. How many times have we been in a meeting with the CEO, and they say something along the lines of like, "Everybody's in sales at this company." And does anyone stand up and go, "Screw it, no way." You're engaged because you're part of that organization and sales is critical to the business success. Guess what? Cybersecurity is the same way. So talk to people like they are part of it and they need to be engaged. And on top of that, I think you should also quit investing in solutions that are not technical controls because this is a technology fix and treating people like they're pieces of gear is stupid and you won't get the return on it. It's a great thing for investors and it's good for the VCs, but put them up there. Find me an organization that has trained themselves out of no compromise, and I'll bring in some folks that will wreck shop real quick.

0:16:18.3 Raghu Nandakumara: You started talking about vendors, and vendors for sure jumped on Zero Trust way before the practitioners did. What is it that vendors have done to corrupt the Zero Trust market?

0:16:43.1 Chase Cunningham: Well, I think it's a couple of things. Number one, obviously they ran with a lot of, "We did X, so we’re ZT now.” Wait a minute, there's more to ZT than that, there's no button and there's not a product for it, so that's been one. And then they market it. It almost seems like the ones that were more egregious at doing that, marketed it even harder. They were like, "If we're going to be this, we're going to double and triple down until somebody calls us out.” And the other piece is the move towards platform which has been, “hey buy all this stuff” - I call it the Walmart of Cybersecurity - “buy all this crap that's on our shelf, and I swear to god, if you buy enough of it, eventually it'll all work together magically, and you'll have the Lego house of your ZT thing, and we'll sell it all to you in one fell swoop”. And it doesn't work. There are portfolios, and there are a very, very few platforms that are in this space, and that's been what's gotten it most off-kilter in my opinion.

0:17:39.4 Raghu Nandakumara: So what's your message to vendors? Zero Trust is an important initiative for vendors to play into. What do they need to do more to actually encourage Zero Trust adoption in their customer base?

0:18:09.4 Chase Cunningham: Well, I think one is just lead with the understanding that the reason somebody's engaging you in a conversation about ZT is because they're asking a strategic question. So be able to answer the strategic question with a strategic value proposition. That is super valuable. And the other thing that I get people on all the time when I do advisory with vendors and what not is, I ask the vendors, "Tell me where you're at in your Zero Trust journey? What are you guys doing for your own ZT?" Usually, I get crickets or a lot of looking around. If you're not doing ZT yourself, why in all of god's wisdom would I buy your shit to do ZT for me? If you don't how to drive, don't tell me how to move my race car.

0:18:54.3 Raghu Nandakumara: 100%. So I know you're involved with the Zero Trust demo forum. What is that doing from providing a platform for vendors but also providing for the end users, for the consumers? What is that enabling that, let's say, other similar organizations are not?

0:19:17.2 Chase Cunningham: Yeah, so part of the problem is, if you're going to get what I would call good jury content on vendor technologies, you have to do a lot of bird dogging yourself, and that can be time consuming. So what we've done with the demo forum is to say, "Let's go drive the vendors that have a valid claim here, have them talk about the stuff, do some thought leadership and then literally demo their system." And yes, it's a vendor demo, but it's a demo so that an end user can go look at that and say, "Okay, I really want to see this X problem being solved. These guys have got really good technology, it seems. Let me go listen to them talk about it. And then, by the way, I can see what that solution actually does." And that to me, from the perspective of this, the research side, is it makes it where the end user has much fewer steps to jump through to get really good intelligence on what's going on with the vendor space.

0:20:12.8 Raghu Nandakumara: I want to understand this a bit more because you talk about use cases, and we haven't really spoken about that. What you're saying here is that it's very much specific use cases that Zero Trust enables and being able to showcase that as opposed to a generic, “Oh, we enable you to accelerate your Zero Trust journey.” So is the focus on very targeted use cases?

0:20:42.2 Chase Cunningham: So it's around use cases, and it's also around taking the vendor space and carving up the capabilities into the pillars of the framework. Like I said earlier, there's not a whole lot of platforms, but there are some solid portfolios. If I'm looking for the vendor that does cloud access management, or whatever, just pick your random super cyber ZT term. I can go look at this, and I can go, "Okay, these are the vendors that have those capabilities." There's five or six of them that actually do that thing. I should look at five or six instead of 247. I think I looked today and added it up and there was 2,731 vendors in cybersecurity. That's crazy. We're talking, I think the numbers that Richard Stiennon put out were $60-something billion in the market.

0:21:39.2 Raghu Nandakumara: So, the vendor sprawl that exists today, do you see – and you spoke about portfolio versus platform as well, or looking into 2023 – do you see that there will be the formation of a true Zero Trust platform? With vendors looking at a true Zero Trust platform scope and building that interconnected set of acquisitions or homegrown products? Do you see that as being real, or will we still see vendor sprawl at least for the next 24 months?

0:22:19.5 Chase Cunningham: I think for a variety of reasons, we're going to see a consolidation of a lot of that space. The recession is going to do part of it. We're having the economic headwinds and whatever else that's going to drive a lot of that. I think we've also saturated the market on interesting, new, cool, sexy things, we've seen a slowdown in that space as well. And APIs now are so good that it is valid to take a portfolio of capabilities and mush them into the operational platform you're looking for. And that's actually the really valuable thing, I think, is if I can say, “I want to use these guys that are really good at this, and these guys that are really good at this. I don't want to buy it all from them, but I want to make them cooperate and collaborate together to give me maximum output.” That's where the platform side of this actually does become a thing. And it's kind of a homegrown side of it, but it's because of the APIs that are part of that integration.

0:23:18.0 Raghu Nandakumara: Yeah, I agree, and I think we've had this conversation before about really bringing together, and you've been a huge promoter of this consistently, about bringing together the best of breed capabilities but being able to almost unify them in a single control plane. And as you said, a lot of that is very much homegrown. You've got to be serious about wanting that and then building that.

0:23:44.7 Chase Cunningham: Yeah, I think you can get towards a semblance of that. And the other piece of the use case conversation is there will always be, for different businesses and different verticals, that one use case that requires them to have a best of breed whatever, which is fine. That's your most critical thing. By all means, get the Lamborghini of that stuff. But for the workforce side of this, that's where this other approach, in my opinion, makes the most sense. Funny enough, when you're talking about Lamborghini, everybody forgets Lamborghini started out as a tractor manufacturer.

0:24:25.1 Raghu Nandakumara: Yeah, exactly. Well, the only Lamborghini I have is the one that my son made out of Legos, and believe me, that took us six months to finish. You kind of alluded to the macroeconomic conditions, you spoke about ROI, so let's talk about that for a bit. At a high level, how does adopting a Zero Trust strategy deliver ROI? Or how do you show ROI for adopting Zero Trust?

0:24:56.4 Chase Cunningham: So I think one of the best ways that I've seen working with organizations is really what they get rid of as they move towards a strategic side of things. I've worked with organizations that have had at least two, if not three, similar solutions solving similar problems that have been implemented by new teams over time. I think the most interesting one was somebody that had three IAM [identity and access management] solutions all doing the same thing, and it was like, "Well, which one is the best? So, here we go, let's bring that in." The years before this were lots of knee-jerk responses to the new needs, new problems, new risks, new threats. We've kind of saturated a lot of that. Now the next thing is to go, "What actually meets the needs? What enables my strategy? Let me whittle away some of the crap that I don't need," and then that budget frees up for other things. And any time you have a conversation in the business with, "I freed up budget," all of a sudden people start smiling. You don't want to be asking for more but you're good to say, "I'm willing to sacrifice some."

0:26:00.2 Raghu Nandakumara: But in your experience of leading a lot of Zero Trust initiatives, when is that ROI often realized? Because I assume you may have a hint of it being realized up front, but actually seeing it in the flesh is a way into the cycle. So when is that often realized?

0:26:24.2 Chase Cunningham: It'll be a while into the process. The good thing is you can scope it out and kind of have, I would say, almost a predictive budget that you can go back and say, "As we migrate, year zero to three, here's what's going to go away, and here's where that budget is going to free up" because we know what stuff costs, and then you can begin to go, "This year, I'm going to free...." It's the reverse of your budget cycle that you did to get this stuff, now you're just off-loading it and you can say predictively what you're going to free up.

0:26:54.7 Raghu Nandakumara: And I guess that's why the whole scoping of the Zero Trust program is so important, so that you don't over-scope at the beginning and are thus under-resourced to execute.

0:27:08.4 Chase Cunningham: Scope creep will eat you alive. And that's why I think it's so critical to really have the leadership conversation in the planning before you begin. Don't confuse tactical execution with strategic value, and a lot of people do that. "We did this. Okay, cool. What's next?" That's tactical execution. Strategic value is, "I'm marching towards this thing, what tactics do I do that will enable me to keep that march going?"

0:27:36.4 Raghu Nandakumara: Yeah, I love the way you express that because I think that's the bit that people miss when they are trying to execute a Zero Trust strategy. That they have that strategic goal, but what they lack is actually the tactical steps that they need to take in order to achieve that. And then hence, they never see the return on their investment or they never even make the first step because they're just considering the big picture. So moving on a bit, let's think about Zero Trust and how regulators, government bodies, etc. are starting to really sort of push for the adoption of Zero Trust strategy. There's of course the Biden Administration’s EO is world famous now, I'd say.

0:28:32.2 Chase Cunningham: It was a watershed moment.

0:28:34.5 Raghu Nandakumara: A 100%, but it's been about 18 months since it got issued. Where are we in terms of actual progress against that?

0:28:44.3 Chase Cunningham: In October of 2022, the federal government finally formally established a DoD Zero Trust Program Office, and any time the DoD sets up a program office that's something. On top of that, they allocated about a billion — $1.1 billion — to that office and said, "Go off and enable ZT." So in government speak, that's pretty fast. 18 months to get towards a PO with a lot of money allocated to it is fast-ish, and they're starting to put things in place. Without getting myself in trouble, I've been engaged in some of the conversations with some of those organizations, and there's movement going on, but they're sticking to the strategy that they outlined in the DoD Zero Trust document that was published in the 23rd of November. So they're doing what I think is the right thing, sticking to their guns and moving forward. It's going to be a slog. What everybody kind of read through that strategy document, they said, "Oh, the DoD says they're gonna be ZT by 2027." That's not at all what they said, they said that they're going to be in a state of Zero Trust by 2027. If you read through the whole thing, it actually talks about that they won't be in an operational, full-compliance state till 2032, and that's early. So that's a very realistic timeline, in my opinion.

0:30:10.5 Raghu Nandakumara: And do you think it's a program that has got sufficient momentum behind it, that it's going to last the course? Or is it still too early to say?

0:30:22.2 Chase Cunningham: I think it's pretty early to look in a crystal ball, but I do think that the way that they've changed the incentive structure – they went from a lot of stick to a lot more carrot – is going to drive that forward. Because where they’re gonna get a lot of value out of it and the conversation already happening is that they've got the “beltway bandits” that are just clamoring and circling like sharks with blood in the water to come help make that happen. And that's how things get done in government: when you got the beltway bandits coming along and making it actually happen. If you relied on the DoD to do it themselves, the sun would burn out before anything got done.

0:31:02.0 Raghu Nandakumara: “Beltway bandits,” first time I've heard that term, but I get it straight away.

0:31:06.9 Chase Cunningham: I live near the beltway, so I see them all day.

0:31:11.8 Raghu Nandakumara: And I guess the whole reaction of other regulators and other government organizations like the TSA, for example, issuing security directives to these LNG operators is a direct manifestation, a direct follow on from the EO but also threats to critical infrastructure. The threats are not a good thing, but their acting is a good forcing factor for the adoption of Zero Trust.

0:33:44.5 Chase Cunningham: Yeah, I tell folks, I don't even care about the threats really. If you spend all your time worrying about the next sexy, cool Russian exploit or whatever somebody is going to steal from NSA and release to the open Internet, it's an exercise in futility. Really what you should be doing is looking at, like we talk about in ZT, is what the fundamentals are for those things to be successful because they're physics. There's things that can be sexy and cool way up here, but I'm gonna deal with the problem down here at the very lowest level and make it where those things won't work. And then a win is a win is a win, and work with that.

0:32:21.6 Raghu Nandakumara: Yeah, because ultimately it's the same things that keep getting exploited, that attackers benefit from. That very rarely has changed.

0:32:31.6 Chase Cunningham: In all of warfare, because cyber is a warfare domain, in all of warfare in history, no one has ever had to be this clear what the enemy is going to do to win, and they still sit around going, "Well, I wonder how we defend this." Come on, man, they color with crayons. It's written right here.

0:32:47.5 Raghu Nandakumara: Yeah, exactly, so it's that time of year where I'm sure you're inundated with requests for, "Hey, Chase, give us your predictions for 2023." I will put you on the spot here: 2023, what does it hold for Zero Trust?

0:33:07.9 Chase Cunningham: I think the biggest thing is you're gonna see more adoption of ZT outside of the US market. That's the only prediction I feel like I can stand on and say that that's probably going to be realistic, and that's literally because I'm having those conversations with organizations in Latin America, Australia, Japan, India, the UK, the Nordic region. So I think that that's the thing that will continue to grow. Other than that, I would say the majority of it is going be the same thing different day with slightly different shenanigans around it.

0:33:47.1 Raghu Nandakumara: And do you see that acceleration of Zero Trust adoption specifically in public sector or public-sector driven? More EO-type edicts coming from governments in other countries or private sector-driven?

0:34:08.2 Chase Cunningham: I think internationally it's going to be mainly private sector driven. I do think, slash wink wink, have a bit of insight that some stuff is probably coming as far as public directives in the US. But cyber is kind of a trickle-down space where the US and the DoD are ahead of everyone else or doing the first-to-the-bat type things, and it works its way everywhere. So I think Australia I know has been doing some work around kind of mapping their essential eight to Zero Trust, so I think that there's going to be some stuff like that, but maybe it'll happen this year, maybe not.

0:33:47.3 Raghu Nandakumara: All right, so before you wrap, you and John, you go and meet each other for a drink and you're swapping Zero Trust analogies. Who's got a better Zero Trust analogy?

0:35:01.5 Chase Cunningham: It could go either way, honestly, depending on how many drinks we've had to be perfectly frank. Yeah, John's obviously the godfather, but I throw some good ones out there once in a while.

0:35:16.3 Raghu Nandakumara: Go on, let's hear one. Let's hear the latest one you've put together.

0:35:21.4 Chase Cunningham: As far as what is Zero Trust? Yeah, I'd say Zero Trust for me is like dating my daughter. I'm going to know who you are, I'm going to see what's going on, I'll provide you access to her, I'm going to monitor what's going on. And then if you do things that are outside the balance of what I would call acceptable, you're gone, that's it.

0:35:42.8 Raghu Nandakumara: Chase, with that, I thank you so much for your time. Everyone listening into this, Chase, Dr. Cunningham, Dr. Zero Trust has his own eponymous podcast, Dr. Zero Trust, available on all the usual platforms. Go and check it out. It's a regular dose of the most real, the most actionable content on all things cyber, not just Zero Trust, but you get a whole load of Zero Trust goodness as well there. Thank you.

0:36:12.2 Chase Cunningham: Awesome, thanks so much.

0:36:15.7 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at You could also connect with us on LinkedIn and Twitter @Illumio, and if you liked today's conversation, you can find our other episodes wherever you get your podcast. I'm your host, Raghu Nandakumara, and we'll be back soon.